I'm working on revamping some indexes for data and am running into an issue with times. I'm currently ingesting entries like this one below:
<164>Nov 09 2017 11:26:09: %ASA-4-106023: Deny tcp src outside:191.101.167.235/45269 dst outside:65.126.243.209/8545 by access-group "private_in" [0x0, 0x0]
Using the cisco filters all the data is parsing out correctly and going into the correct fields. What I would like to do is use the field eventtime as the time filter field name. In the input filter I'm using the following statement to match the time (correctly):
date {
match => ["timestamp","MMM dd yyyy HH:mm:ss","MMM d yyyy HH:mm:ss"]
}
Since I'm using a custom index pattern I've created a mapping for the timestamp field:
"timestamp" : {"type" : "date", "format" : "MMM dd YYYY hh:mm:ss"},
Once the time appears in the index template at this point the time changes to November 9th 2017, 05:26:09.000
If I let the field be created automatically the time is recognized properly, however, I can't use the field as the time filter field. Would there be a way to just append the timezone to the timestamp field for this specific filter?
Thanks!